Now, the group has a new trick up its sleeves: It's mailing victims a USB storage device, with a teddy bear and supposed $50 gift card to Best Buy. "You can spend it on any product from the list of items presented on a USB stick," reads the cover letter accompanying one such attack, according to security firm Trustwave. All a victim has to do is plug the USB device into their computer.

"The enclosed USB device is a commercially available tool known as a 'BadUSB' or 'Bad Beetle USB' device," the FBI says in a flash alert to businesses that outlines the scheme. Such schemes are also known as "Bash Bunny" attacks.

"More complex are so-called 'Rubber Ducky' attacks, where what looks like a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes," they add. "Those types of attacks are typically so explicitly targeted that it's rare to find them coming from actual attackers in the wild. Rare, but still out there."

Bad for Business: BadUSB

"BadUSB" devices are USB storage devices that have had their firmware rewritten to facilitate malicious activities, potentially giving attackers the ability to bypass endpoint anti-virus tools and gain remote access to any system into which the USB storage devices gets plugged (see: A New Way to Mitigate USB Risks).

"Never trust such a device" - not even when accompanied by a supposedly real gift card and cover letter saying all the recipient has to do is plug in the device and retrieve a list - say Trustwave's Baca and Mendrez.

The FBI says FIN7 has been mailing the malicious USB devices to potential victims, sometimes also while running a phishing attack.

"When plugged into a target system, the USB registers as a Keyboard HID Keyboard Device with a Vendor ID (VID) of 0x2341 and a Product ID (PID) of 0x8037," the alert says. "The USB injects a series of keystroke commands, including the (Windows + R) shortcut to launch the Windows Run Dialog to run a PowerShell command to download and execute a malware payload from an attacker-controlled server. The USB device then calls out to domains or IP addresses that are currently located in Russia."

The FBI says the domains or IP addresses that the device pings then push a copy of Griffon malware back to the device, which has been previously attached to phishing emails sent by FIN7. Griffon gives the attackers a back door for remotely accessing the infected system and thus everything on it. Potentially, the infected system can also give attackers a stepping stone to the rest of a corporate network.

Trustwave says one of its clients in the hospitality industry was on the receiving end of an attack, as detailed in the FBI's flash alert. As detailed in the FBI's alert, the USB controller chip had been has been" reprogrammed for an unintended use - in this case as an emulated USB keyboard" meaning that simply plugging in the device could "infect unsuspecting users' computer without them realizing it."

Attack flow (Source: Trustwave)

Running these types of attacks is relatively inexpensive. While attackers can spend $100 or more on a USB device with a full-featured microcontroller, the FBI says the microcontroller used in one of the FIN7 attacks it studied is an ATMEGA24U, while Trustwave studied a separate attack that used involved an ATMEGA32U4, each of which retail for $5 to $14, depending on the supplier, Bleeping Computer reports.

FIN7: $1 Billion in Fraud and Counting

Previously, the FIN7 gang was tied to what the U.S. Justice Department described as a "highly sophisticated malware campaign" that's pummeled more than 100 U.S. businesses - especially in the restaurant, gaming, and hospitality sectors. Arby's, Chili's, Chipotle Mexican Grill and Jason's Deli are among the data breach victims that have confirmed attacks tied to FIN7 (see: Chipotle: Hackers Dined Out on Most Restaurants).

FIN7 has perpetrated more than $1 billion in fraud, in part, by stealing details for more than 15 million payment card records from more than 6,500 point-of-sale terminals across more than 3,600 business locations, the Justice Department says.

In 2018, the Justice Department unsealed indictments against three alleged members of the FIN7 hacking gang: Dmytro Fedorov, Fedir Hladyr and Andrii Kolpakov. All are Ukrainian nationals.

Hladyr, who prosecutors accused of serving as "a high-level systems administrator" for the gang, was arrested in Dresden, Germany, in January 2018, and extradited to the U.S. Last September, he pleaded guilty to conspiracy to commit wire fraud, which carries a maximum 20-year prison sentence, and conspiracy to commit computer hacking, which carries up to a five-year penalty, and agreed to pay up $2.5 million in restitution (see: Credit Card Theft Ringleader Pleads Guilty).

In 2018, Fedorov was arrested in Bielsko-Biala, Poland, while Kolpakov was arrested in Lepe, Spain. Both were later extradited to the U.S. and pleaded not guilty. A trial against the two men began in August 2019 and is set to continue this October. They each face 26 felony counts, ranging from identity theft to conspiracy to commit computer hacking.

In the meantime, their alleged FIN7 accomplices appear to be carrying on, now armed not just with malware, but stuffed toys.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.